Posted 18 May 2011

Update on PSN Password Reset Process

Share this post

We temporarily took down the PSN and Qriocity password reset page. Contrary to some reports, there was no hack involved. In the process of resetting of passwords there was a URL exploit that we have subsequently fixed.

Consumers who haven’t reset their passwords for PSN are still encouraged to do so directly on their PS3. Otherwise, they can continue to do so via the website as soon as we bring that site back up.

0 Author replies

Well it was an exploit because it meant that anyone with the user’s e-mail and date of birth could change their password without any other intervention and because this information was most likely in the list of stolen details.

Still, good job that the person who found it quickly told you and this time you took action.

Still, this is an amateur mistake to make, no user should be able to change their password without having a reset token sent to their email account to properly verify ownership of the account. Even the most basic of user systems generally have better authentication than using birth date and email as proof, especially as this data was recently compromised (though it is freely available on some sites).

Anyway, rant out of the way, I’m glad you discovered this exploit soon and patch it before any real damage (I hope) has been caused.

Well, now that’s fixed, I guess now everything goes back to *fully* normal. Good for the media who contacted you too, I applause them, because anyone else would have just posted right away without even contacting you.

C’mon Sony! You’d think after the month of hell you’d had, you had thought of better security for the password reset process! I’m getting worried you’re just institutionally lax with security, I hope I’m wrong as I’ve been loyal to the playstation brand since my PS1 back in 1995. At least you’ve communicated quicker this time.

it’s ridiculous. that email for resetting my pw took 3 f’ing days. and then the link I have to klick on says “under maintenance”. I want to get into my main account. how am I supposed to get my account working??? I even already called the German support number but all they said was: “well, err, we don’t know.” and hung up on me.give me an all the others some information. please.

Do we only get the emails sent to us if we change our passwords by the website and not our PS3s? I changed mine via PS3 a few days back and it never said anything about an email (which I haven’t got). Also, any news when the store will be back online? (Which reminds me, I need to cancel my credit card… Meh).

i had to recover another account last night, clicked email and received my email instantly, i dont understand how its worked twice for me now instantly and not for others, but yeah as others have said well done for getting it sorted fast

for people who are asking bout PS STORE it will be up and running by 31st of may it could be any time between now & end off may from what ive been told they are close to getting it up and running (HOPE SO) :D

Guys wheever your password is changed, you get sent an email. If you get one when you know you DIDNT change it, or if you changed it yesterday, got a confimnration email but then recieved another one, then worry bout it.

@saumibane As a network engineer, yes I do know how an incursion, or as you expertly stated a ‘hack thing’ can take a lot of time to sort.. What we are all saying, and I don’t think you’ve grasped this is that this is a new, unrelated process to the hack, and Sony have blundered into another security issue. You’ll also note that many of us support Sony, but are getting a little tired of these screwups.

If you’ve updated to the newest version on your PS3, you should be able to change the password there (on your PS3), It’s what I did (didn’t get any emails about it though). The version you should be on now is 3.61.

@lil_m00.no. I for example have never downloaded anything from the ps store since I prefer to hold my games and videos as a disc in my hands. that means according to the Sony instructions that the account is not activated on your ps3 so the hackers that got our data could j be faster than us and use a random ps3 to change our pw’s and get our accounts. that’s y they send those of us emails instead. however Sony f’ed it up. it’s not our email browsers. cause when u create a new account u get an email instantly. so it’s not the mail providers. it’s Sony. they screwed up again nd now fail at helping us at getting our main accounts by not replying/reacting.

There are still people who don’t have access to their accounts.Whose idea was it to send all these e-mails anyway ?It has to be the most braindead idea ever. You are punishing people for not downloading from PS Store before your inadequate Californian Servers were compromised. I was using a new PS3 when this happened , I didn’t get time to use the store for a quick download . And if 3.5 weeks wasn’t bad enough , I had to wait 48 hours for my e-mail. Would you be happy if that was you?

Why couldn’t everyone just get the same password reset option when PSN went back up ?